1. PO1.3 Assessment of Current Capability and Performance
2. PO2.3 Data Classification Scheme
3. AI6.1 Change Standards and Procedures
4. DS4.1 IT Continuity Framework
5. DS5.2 IT Security Plan
6. DS5.3 Identity Management
7. DS5.5 Security Testing, Surveillance and Monitoring
8. DS5.9 Malicious Software Prevention, Detection, and Correction
9. DS5.10 Network Security
10. ME1.3 Monitoring Method
Supporting Explanation for Check-list Item Number 1
The first step in a security checklist for XYZ Company is COBIT PO1.3, an assessment of the current capability and performance of solution and service delivery. The assessment should measure IT's contribution to business objectives, functionality, stability, complexity, costs, strengths, and weaknesses. While this assessment will be useful for security purposes, all areas of IT can use it because security capabilities are a subset of overall IT capabilities. It will provide a baseline to which to compare future changes. Since XYZ is not a new company, they must have existing infrastructure and services in place. Thus, having a baseline is advantageous because it will allow IT to show tangible improvements to executives, which will help procure financing for future IT endeavors.
Assessing current capabilities will also prevent them from building solutions from scratch when a similar one already exists. By reducing re-work, XYZ can use their funds to the utmost effect. Another side effect of the assessment will be groundwork for the identification of the company's information assets, which will be important in future steps such as data classification. According to COBIT, the assessment should also measure IT's strengths and weaknesses. Some of the weaknesses will undoubtedly be security related and give XYZ Company areas on which to focus improvements.
To accomplish the assessment, IT will have to interview people across the enterprise. In XYZ Company's case, this will include manufacturing facilities, suppliers, and its university research centers. Additionally, IT will perform customer surveys for its website and other sales channels. External auditing of the findings is not necessary because there is little motivation for employees to overstate capabilities. If they do, their resulting targets will be unreachable and thus they will under perform later. If they understate their capabilities, they will be chided for current inefficiencies. Thus, the overall assessment should be accurate. The most cost effective way to aggregate the data will be though a database, on which analysts can perform queries later. IT personnel will also have to travel to the locations to assess the security capabilities, as getting accurate security assessments from non-security personnel will be difficult. This will probably be the most expensive facet of the assessment.
This assessment is recommended for XYZ Company because they have a complex value chain as well as multiple sites. Their sales through multiple channels have created the opportunity for fragmented information systems across sites. Additionally, the universities where they conduct offsite research will undoubtedly have their own security procedures. This creates the opportunity for nonconforming security practices, including ones of which IT may not even be aware. Documenting all these procedures is important in developing a comprehensive enterprise-wide security plan, as fixing unknown weaknesses is virtually impossible. Creating the security plan is covered in a later checklist item.
Supporting Explanation for Check-list Item Number 2
After completing the assessment of current capabilities, the next step is to establish an enterprise-wide classification scheme, as outlined in COBIT PO2.3. Classifications should represent the criticality and sensitivity of the information. The assessment of capabilities should provide a good starting point as the...